Client Requirements:

VPN clients must support the same cryptography in order to connect. Consider how Windows clients use DH2-3DES-SHA1 by default (yikes). I'll provide instructions on how to update Windows 10, iPhones, and Android IPsec clients in an upcoming article.

PowerShell:

PowerShell can implement stronger IKEv2 secuirty targets for both Windows 8.1 and 2012R2:

Be warned, the process is challenging. If you go this route don't test it out on production servers. Also, the TechNet examples create new GPO policy specific to IKEv2. It does not account for all the other firewall rules. In other words, it creates a new firewall policy that only permits IKEv2 traffic -it's easy to get locked out without console access.

The trick is to copy ALL firewalls rules and IPsec rules, crypto-sets, and IPsec rules (and anything else I haven't thought of) to the new GPO -all through PowerShell. Alternately, use the GUI to copy the existing firewall settings to a separate firewall policy (i.e., separate from the PowerShell IKEv2 GPO). Do not use the GPO GUI to edit the IKEv2 (i.e., PowerShell) firewall or you risk corrupting it. You can then apply both GPOs to the VPN server.

Also, we may be able to accomplish the same thing by saving the object to the local policy store. Don't take my word on this because I haven't tried it yet. So yeah, this is a bit more work but the benefits should provide solid security and greater interoperability.

If anyone completes this script before I get around to it please forward me your work! Either way, I'm sure it will be good material for another blog article.

Steven Jordan is an infrastructure and process management specialist. Steven holds a Master of Science degree in ICT from the University of Wisconsin Stout. Steven is also a Cisco Certified Network Professional (CCNP) and Master Gardener.

Related Articles

11
Comments

When I add reg key IKEv2CustomPolicy with DH14-AES256-SHA256 settings, I cannot connect to server with less security settings (for example from Win Phone).Is it possible to configure server to support more then one type of cipher sttings?

Yes, this is a limitation (or strength). It prevents the use of weak cryptographic algorithms.For your situation, I suggest using dynamic site-to-site VPNs. You can define a different cipher-suite for every S2S interface. You can then assign S2S interfaces to specific clients. S2S VPNs work alongside RRAS remote access client VPNs: http://www.stevenjordan.net/2016/11/dynamic-s2s-vpns.html

Hi Steven. I know this is an old post. Hope you reply.There is "IPsec Settings" in "Windows Firewall with Advanced Security", I tried to set the above parameters in there instead of registry but it didn't work. Why?

It probably doesn't work because IPSec policies, in the Windows Firewall GUI, only apply to IKEv1 -not IKEv2. N.B., IPsec firewall policy will affect L2TP VPNs. That's only because L2TP and Win Firewall use the same flavor of IPsec (v1).

The absolute easiest way to improve IPsec in Windows is with the NegotiateDH2048_AES256 regedit. Instructions are found here:

http://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html

This registry change provides acceptable security: DH14-AES1288-SHA1. It works for both IKEv1 (Win Firewall and L2TP) and IKEv2 VPNs. It also works for both clients and servers.

The only limitation is that it prevents stronger cryptography. Nonetheless, it's a MUCH better option than doing nothing.

By all means, choose the highest encryption levels that your hardware (i.e., servers and clients) supports. The only caveat is the highest encryption and hashing levels limit the number and types of devices that can connect.

For example, the very first comment describes how their client was unable to connect after they implemented stronger security measures. Their old Windows phone simply could not connect to the server via DH14-AES256-SHA256. N.B., Neither can iPhone 6 or iPhone 7.

In a perfect world, we implement a policy that prevents insecure devices altogether. In the real world, we support Windows laptops, Android phones, iPhones, Chromebooks, etc.. Each device has different encryption and hashing limitations. However, in my experience most devices support MM:IKE-DH14-AES256-SHA1 and QM: AES128-SHA1.

Hi Steven, I've installed a RRAS (Win2016) for IKEv2 VPN clients. Authentication is based on machine certificates. Clients are able to connect without any problem. If I revoke the computer certificate on the internal CA, the computer is still able to connect. I've published a new CRL, and comfirmed the revoked cert is on the list. Do you know I to enable revocation checking on the RRAS server?

About Me

Steven Jordan is an infrastructure and process management specialist. Steven holds a Master of Science degree in ICT from the University of Wisconsin Stout.
Steven is also a Cisco Certified Network Professional (CCNP) and a University of Wisconsin Extension Master Gardener.